public void process(Authorizable authorizable, Session session, Modification change)
      throws Exception {
    LOGGER.debug("Starting MessageAuthorizablePostProcessor process");
    if (authorizable != null && authorizable.getID() != null && !authorizable.isGroup()) {
      PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(session);
      String path =
          PersonalUtils.getHomeFolder(authorizable) + "/" + MessageConstants.FOLDER_MESSAGES;
      LOGGER.debug("Getting/creating message store node: {}", path);

      Node messageStore = JcrUtils.deepGetOrCreateNode(session, path);
      messageStore.setProperty(
          JcrResourceConstants.SLING_RESOURCE_TYPE_PROPERTY,
          MessageConstants.SAKAI_MESSAGESTORE_RT);
      // ACL's are managed by the Personal User Post processor.
      Principal anon =
          new Principal() {

            public String getName() {
              return UserConstants.ANON_USERID;
            }
          };
      Principal everyone = principalManager.getEveryone();

      // The user can do everything on this node.
      replaceAccessControlEntry(
          session, path, authorizable.getPrincipal(), new String[] {JCR_ALL}, null, null, null);

      // explicitly deny anon and everyone, this is private space.
      String[] deniedPrivs = new String[] {JCR_READ, JCR_WRITE};
      replaceAccessControlEntry(session, path, anon, null, deniedPrivs, null, null);
      replaceAccessControlEntry(session, path, everyone, null, deniedPrivs, null, null);
    }
  }
  @Override
  public void activate() throws Exception {

    String listGroup = getProperties().get(PROP_LIST, String.class);

    if (listGroup.equals(PROP_LIST_OPTION1)) {
      UserManager userManager = getResourceResolver().adaptTo(UserManager.class);
      Authorizable opsBluPrintUser = userManager.getAuthorizable(getRequest().getUserPrincipal());
      Iterator<Group> groups = opsBluPrintUser.memberOf();
      for (; groups.hasNext(); ) {
        String groupName = groups.next().getPrincipal().getName();

        if ((groupName.equals(MAKER_GROUP))
            || (groupName.equals(CHECKER_GROUP))
            || (groupName.equals(READER_GROUP))) {
          hiddenFieldValue = groupName;
        }
      }

    } else if (listGroup.equals(PROP_LIST_OPTION2)) {

      hiddenFieldValue = getRequest().getUserPrincipal().getName();
    } else if (listGroup.equals(PROP_LIST_OPTION3)) {
      // to be added

    } else if (listGroup.equals(PROP_LIST_OPTION4)) {
      hiddenFieldValue = getProperties().get(STATIC_VALUE, String.class);
    }
  }
 private void applyJsonToAuthorizable(URL url, Authorizable authorizable, Session session)
     throws IOException, RepositoryException {
   String jsonString = IOUtils.readFully(url.openStream(), "UTF-8");
   if (jsonString != null) {
     Map<String, Object[]> postprocessParameters = new HashMap<String, Object[]>();
     try {
       JSONObject jsonObject = new JSONObject(jsonString);
       Iterator<String> keys = jsonObject.keys();
       while (keys.hasNext()) {
         String key = keys.next();
         Object jsonValue = jsonObject.get(key);
         if (key.startsWith(SlingPostConstants.RP_PREFIX)) {
           postprocessParameters.put(key, new Object[] {jsonValue});
         } else {
           Value value = JcrResourceUtil.createValue(jsonValue, session);
           authorizable.setProperty(key, value);
         }
       }
     } catch (JSONException e) {
       LOGGER.error("Faulty JSON at " + url, e);
     }
     try {
       authorizablePostProcessService.process(
           authorizable, session, ModificationType.CREATE, postprocessParameters);
     } catch (Exception e) {
       LOGGER.error("Could not configure default authorizable " + authorizable.getID(), e);
     }
   }
 }
 public Resource next() {
   Principal nextPrincipal = principals.nextPrincipal();
   try {
     ResourceResolver resourceResolver = parent.getResourceResolver();
     if (resourceResolver != null) {
       Session session = resourceResolver.adaptTo(Session.class);
       if (session != null) {
         UserManager userManager = AccessControlUtil.getUserManager(session);
         if (userManager != null) {
           Authorizable authorizable = userManager.getAuthorizable(nextPrincipal.getName());
           if (authorizable != null) {
             String path;
             if (authorizable.isGroup()) {
               path = SYSTEM_USER_MANAGER_GROUP_PREFIX + nextPrincipal.getName();
             } else {
               path = SYSTEM_USER_MANAGER_USER_PREFIX + nextPrincipal.getName();
             }
             return new SakaiAuthorizableResource(authorizable, resourceResolver, path);
           }
         }
       }
     }
   } catch (RepositoryException re) {
     log.error("Exception while looking up authorizable resource.", re);
   }
   return null;
 }
  /**
   * KERN-1026 changed the results of this to be the authz's that are members of the managers group
   * associated to a group rather than the group managers associated to the group.
   *
   * <p><del>Get the managers for a group. These should be stored in the {@link
   * UserConstants#PROP_GROUP_MANAGERS}.</del>
   *
   * @param request
   * @param group
   * @param writer
   * @throws RepositoryException
   * @throws JSONException
   */
  protected TreeMap<String, Authorizable> getManagers(
      SlingHttpServletRequest request, Group group, Comparator<String> comparator)
      throws RepositoryException, JSONException {
    TreeMap<String, Authorizable> map = new TreeMap<String, Authorizable>(comparator);

    // KERN-949 will probably change this.
    // note above was made before this was changed to retrieving members of the managers
    // group and may not apply.
    Session session = request.getResourceResolver().adaptTo(Session.class);
    UserManager um = AccessControlUtil.getUserManager(session);
    Value[] managersGroup = group.getProperty(UserConstants.PROP_MANAGERS_GROUP);
    if (managersGroup != null && managersGroup.length == 1) {
      String mgrGroupName = managersGroup[0].getString();

      Group mgrGroup = (Group) um.getAuthorizable(mgrGroupName);

      Iterator<Authorizable> members = mgrGroup.getMembers();
      while (members.hasNext()) {
        Authorizable member = members.next();
        String prinName = member.getPrincipal().getName();
        Authorizable mau = um.getAuthorizable(prinName);
        String name = getName(mau);
        map.put(name, mau);
      }
    }
    return map;
  }
 /**
  * {@inheritDoc}
  *
  * @see java.lang.Object#equals(java.lang.Object)
  */
 @Override
 public boolean equals(Object obj) {
   if (obj instanceof Membership) {
     Membership m = (Membership) obj;
     if (parent == null) {
       if (m.getParent() == null) {
         return true;
       } else {
         return false;
       }
     } else {
       return (parent.equals(m.getParent())) && member.equals(m.getMember());
     }
   }
   return super.equals(obj);
 }
 /**
  * Get's the name for an authorizable on what the list should be sorted. sakai:group-title for
  * Groups, lastName for Users.
  *
  * @param member The authorizable to get a name for.
  * @return The name.
  * @throws RepositoryException
  */
 private String getName(Authorizable member) throws RepositoryException {
   String name = member.getID();
   if (member.isGroup()) {
     Value[] values = member.getProperty("sakai:group-title");
     if (values != null && values.length != 0) {
       name = values[0].getString();
     }
   } else {
     Value[] values = member.getProperty("lastName");
     if (values != null && values.length != 0) {
       name = values[0].getString();
     }
   }
   // We need to add the ID to keep the keys unique.
   return name + member.getID();
 }
  @Test
  public void testGetEmailAddrs_User() throws Exception {

    String userPath = "/home/users/a/admin";
    MockValue[] emailVal = new MockValue[] {new MockValue("*****@*****.**")};

    ResourceResolver resolver = mock(ResourceResolver.class);
    Resource userRes = mock(Resource.class);
    Authorizable adminUser = mock(Authorizable.class);

    when(resolver.getResource(userPath)).thenReturn(userRes);
    when(userRes.adaptTo(Authorizable.class)).thenReturn(adminUser);

    when(adminUser.isGroup()).thenReturn(false);
    when(adminUser.hasProperty(PN_EMAIL)).thenReturn(true);
    when(adminUser.getProperty(PN_EMAIL)).thenReturn(emailVal);

    String[] emails = SendTemplatedEmailUtils.getEmailAddrsFromUserPath(resolver, userPath);

    assertEquals(1, emails.length);
    assertEquals("*****@*****.**", emails[0]);
  }
  protected void addMember(
      Session session, String filePath, Authorizable authorizable, String memberType)
      throws RepositoryException {
    Principal principal = authorizable.getPrincipal();

    // Add (or re-use) a members node for the new viewer or manager.
    String memberPath = getMemberNodePath(filePath, authorizable);
    Node memberNode = JcrUtils.deepGetOrCreateNode(session, memberPath);
    memberNode.setProperty(SLING_RESOURCE_TYPE_PROPERTY, POOLED_CONTENT_USER_RT);
    memberNode.setProperty(memberType, new String[] {principal.getName()});

    // Update the member's access to the pooled content.
    refreshMemberAccess(session, filePath, principal, memberNode);
  }
 @Override
 protected TreeMap<String, Group> getGroups(Authorizable member, UserManager userManager)
     throws RepositoryException {
   TreeMap<String, Group> managedGroups = new TreeMap<String, Group>();
   Iterator<Group> allGroupsIter = member.memberOf();
   while (allGroupsIter.hasNext()) {
     Group group = allGroupsIter.next();
     if (group.hasProperty(UserConstants.PROP_MANAGED_GROUP)) {
       Value[] values = group.getProperty(UserConstants.PROP_MANAGED_GROUP);
       if ((values != null) && (values.length == 1)) {
         String managedGroupId = values[0].getString();
         Group managedGroup = (Group) userManager.getAuthorizable(managedGroupId);
         managedGroups.put(managedGroupId, managedGroup);
       }
     }
   }
   return managedGroups;
 }
  /**
   * Remove a User or Group from the list of viewers or the list of managers. Currently, the node
   * which points to the user/group remains in place, and only the specified membership property is
   * deleted. Note that a single user/group can be on both lists, and so their access rights might
   * not actually change as a result of being removed from a single list.
   *
   * @param session
   * @param filePath
   * @param authorizable
   * @param memberType
   * @throws RepositoryException
   */
  protected void removeMember(
      Session session, String filePath, Authorizable authorizable, String memberType)
      throws RepositoryException {
    String memberPath = getMemberNodePath(filePath, authorizable);

    // Is there actually such a member?
    if (session.itemExists(memberPath)) {
      Node memberNode = session.getNode(memberPath);
      if (memberNode.hasProperty(memberType)) {
        // Remove the property.
        memberNode.setProperty(memberType, (Value[]) null);

        // Update ACEs that refer to this member.
        Principal principal = authorizable.getPrincipal();
        refreshMemberAccess(session, filePath, principal, memberNode);
      }
    }
  }
  @Test
  public void testGetEmailAddrs_Group() throws Exception {

    // mock group and users
    String groupPath = "/home/users/g/group";
    List<Authorizable> groupMembers = new ArrayList<Authorizable>();

    Authorizable user1 = mock(Authorizable.class);
    Authorizable user2 = mock(Authorizable.class);

    when(user1.hasProperty(PN_EMAIL)).thenReturn(true);
    when(user1.getProperty(PN_EMAIL))
        .thenReturn(new MockValue[] {new MockValue("*****@*****.**")});

    when(user2.hasProperty(PN_EMAIL)).thenReturn(true);
    when(user2.getProperty(PN_EMAIL))
        .thenReturn(new MockValue[] {new MockValue("*****@*****.**")});

    groupMembers.add(user1);
    groupMembers.add(user2);

    ResourceResolver resolver = mock(ResourceResolver.class);
    Resource groupRes = mock(Resource.class);
    Authorizable groupAuth = mock(Authorizable.class);
    Group userGroup = mock(Group.class);

    when(resolver.getResource(groupPath)).thenReturn(groupRes);
    when(groupRes.adaptTo(Authorizable.class)).thenReturn(groupAuth);

    when(groupAuth.isGroup()).thenReturn(true);
    when(groupRes.adaptTo(Group.class)).thenReturn(userGroup);
    when(userGroup.getMembers()).thenReturn(groupMembers.iterator());

    String[] emails = SendTemplatedEmailUtils.getEmailAddrsFromUserPath(resolver, groupPath);
    assertEquals(2, emails.length);
    assertEquals("*****@*****.**", emails[0]);
    assertEquals("*****@*****.**", emails[1]);
  }
Beispiel #13
0
  /**
   * Add an ACL entry at a path for the authorizable.
   *
   * @param path
   * @param authorizable
   * @param session
   * @param writePrivilageGranted
   * @throws RepositoryException
   */
  public static void addEntry(
      String path, Authorizable authorizable, Session session, String... privilegeSpec)
      throws RepositoryException {

    String principalName = authorizable.getPrincipal().getName();

    List<String> grantedPrivilegeNames = new ArrayList<String>();
    List<String> deniedPrivilegeNames = new ArrayList<String>();
    for (String spec : privilegeSpec) {
      if (spec.startsWith(GRANTED)) {
        grantedPrivilegeNames.add(spec.substring(GRANTED.length()));
      } else if (spec.startsWith(DENIED)) {
        deniedPrivilegeNames.add(spec.substring(DENIED.length()));
      }
    }

    AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
    AccessControlList updatedAcl = null;
    AccessControlPolicyIterator applicablePolicies =
        accessControlManager.getApplicablePolicies(path);
    while (applicablePolicies.hasNext()) {
      AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy();
      if (policy instanceof AccessControlList) {
        updatedAcl = (AccessControlList) policy;
        break;
      }
    }
    if (updatedAcl == null) {
      throw new RepositoryException("Unable to find an access conrol policy to update.");
    }

    StringBuilder oldPrivileges = null;
    StringBuilder newPrivileges = null;
    if (LOGGER.isInfoEnabled()) {
      oldPrivileges = new StringBuilder();
      newPrivileges = new StringBuilder();
    }

    // keep track of the existing Aces for the target principal
    AccessControlEntry[] accessControlEntries = updatedAcl.getAccessControlEntries();
    List<AccessControlEntry> oldAces = new ArrayList<AccessControlEntry>();
    for (AccessControlEntry ace : accessControlEntries) {
      if (principalName.equals(ace.getPrincipal().getName())) {
        if (LOGGER.isInfoEnabled()) {
          LOGGER.info(
              "Found Existing ACE for principal {} on resource: ",
              new Object[] {principalName, path});
        }
        oldAces.add(ace);

        if (LOGGER.isInfoEnabled()) {
          // collect the information for debug logging
          boolean isAllow = AccessControlUtil.isAllow(ace);
          Privilege[] privileges = ace.getPrivileges();
          for (Privilege privilege : privileges) {
            if (oldPrivileges.length() > 0) {
              oldPrivileges.append(", "); // separate entries by commas
            }
            if (isAllow) {
              oldPrivileges.append("granted=");
            } else {
              oldPrivileges.append("denied=");
            }
            oldPrivileges.append(privilege.getName());
          }
        }
      }
    }

    // remove the old aces
    if (!oldAces.isEmpty()) {
      for (AccessControlEntry ace : oldAces) {
        updatedAcl.removeAccessControlEntry(ace);
      }
    }

    // add a fresh ACE with the granted privileges
    List<Privilege> grantedPrivilegeList = new ArrayList<Privilege>();
    for (String name : grantedPrivilegeNames) {
      if (name.length() == 0) {
        continue; // empty, skip it.
      }
      Privilege privilege = accessControlManager.privilegeFromName(name);
      grantedPrivilegeList.add(privilege);

      if (LOGGER.isInfoEnabled()) {
        if (newPrivileges.length() > 0) {
          newPrivileges.append(", "); // separate entries by commas
        }
        newPrivileges.append("granted=");
        newPrivileges.append(privilege.getName());
      }
    }
    if (grantedPrivilegeList.size() > 0) {
      Principal principal = authorizable.getPrincipal();
      updatedAcl.addAccessControlEntry(
          principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));
    }

    // add a fresh ACE with the denied privileges
    List<Privilege> deniedPrivilegeList = new ArrayList<Privilege>();
    for (String name : deniedPrivilegeNames) {
      if (name.length() == 0) {
        continue; // empty, skip it.
      }
      Privilege privilege = accessControlManager.privilegeFromName(name);
      deniedPrivilegeList.add(privilege);

      if (LOGGER.isInfoEnabled()) {
        if (newPrivileges.length() > 0) {
          newPrivileges.append(", "); // separate entries by commas
        }
        newPrivileges.append("denied=");
        newPrivileges.append(privilege.getName());
      }
    }
    if (deniedPrivilegeList.size() > 0) {
      Principal principal = authorizable.getPrincipal();
      AccessControlUtil.addEntry(
          updatedAcl,
          principal,
          deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]),
          false);
    }

    accessControlManager.setPolicy(path, updatedAcl);

    if (LOGGER.isInfoEnabled()) {
      LOGGER.info(
          "Updated ACE for principalId {} for resource {} from {} to {}",
          new Object[] {
            authorizable.getID(), path, oldPrivileges.toString(), newPrivileges.toString()
          });
    }
  }
 /**
  * {@inheritDoc}
  *
  * @see java.lang.Object#hashCode()
  */
 @Override
 public int hashCode() {
   return parent.hashCode() + member.hashCode();
 }
  /**
   * {@inheritDoc}
   *
   * @see
   *     org.apache.sling.api.servlets.SlingSafeMethodsServlet#doGet(org.apache.sling.api.SlingHttpServletRequest,
   *     org.apache.sling.api.SlingHttpServletResponse)
   */
  @Override
  protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response)
      throws ServletException, IOException {
    Authorizable authorizable = null;
    Resource resource = request.getResource();
    if (resource != null) {
      authorizable = resource.adaptTo(Authorizable.class);
    }

    if (authorizable == null || !authorizable.isGroup()) {
      response.sendError(HttpServletResponse.SC_NO_CONTENT, "Couldn't find group");
      return;
    }

    Group group = (Group) authorizable;

    List<String> selectors = Arrays.asList(request.getRequestPathInfo().getSelectors());
    ExtendedJSONWriter writer = new ExtendedJSONWriter(response.getWriter());
    writer.setTidy(selectors.contains("tidy"));

    // Get the sorting order, default is ascending or the natural sorting order (which is
    // null for a TreeMap.)
    Comparator<String> comparator = null;
    String order = "ascending";
    if (request.getRequestParameter("sortOrder") != null) {
      order = request.getRequestParameter("sortOrder").getString();
      if (order.equals("descending")) {
        comparator = Collections.reverseOrder();
      }
    }

    try {
      response.setContentType("application/json");
      TreeMap<String, Authorizable> map = null;
      if (selectors.contains("managers")) {
        map = getManagers(request, group, comparator);
      } else {
        // Members is the default.
        map = getMembers(request, group, comparator);
      }

      // Do some paging.
      long items =
          (request.getParameter(ITEMS) != null) ? Long.parseLong(request.getParameter(ITEMS)) : 25;
      long page =
          (request.getParameter(PAGE) != null) ? Long.parseLong(request.getParameter(PAGE)) : 0;
      if (page < 0) {
        page = 0;
      }
      if (items < 0) {
        items = 25;
      }
      Iterator<Entry<String, Authorizable>> iterator =
          getInPlaceIterator(request, map, items, page);

      // Write the whole lot out.
      Session session = request.getResourceResolver().adaptTo(Session.class);
      writer.array();
      int i = 0;
      while (iterator.hasNext() && i < items) {
        Entry<String, Authorizable> entry = iterator.next();
        Authorizable au = entry.getValue();
        ValueMap profile;
        if (selectors.contains("detailed")) {
          profile = profileService.getProfileMap(au, session);
        } else {
          profile = profileService.getCompactProfileMap(au, session);
        }
        if (profile != null) {
          writer.valueMap(profile);
          i++;
        } else {
          // profile wasn't found.  safe to ignore and not include the group
          logger.info("Profile not found for " + au.getID());
        }
      }
      writer.endArray();

    } catch (RepositoryException e) {
      response.sendError(
          HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to retrieve members/managers.");
      return;
    } catch (JSONException e) {
      response.sendError(
          HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Failed to build a proper JSON output.");
      return;
    }
  }
  public void setRoleMembers(
      Session session,
      final ITenant theTenant,
      final String roleName,
      final String[] memberUserNames)
      throws RepositoryException, NotFoundException {
    List<IPentahoUser> currentRoleMembers = getRoleMembers(session, theTenant, roleName);
    if (tenantAdminRoleName.equals(roleName)
        && (currentRoleMembers != null && currentRoleMembers.size() > 0)
        && memberUserNames.length == 0) {
      throw new RepositoryException(
          Messages.getInstance()
              .getString(
                  "AbstractJcrBackedUserRoleDao.ERROR_0001_LAST_ADMIN_ROLE", tenantAdminRoleName));
    }
    Group jackrabbitGroup = getJackrabbitGroup(theTenant, roleName, session);

    if ((jackrabbitGroup == null)
        || !TenantUtils.isAccessibleTenant(
            theTenant == null
                ? tenantedRoleNameUtils.getTenant(jackrabbitGroup.getID())
                : theTenant)) {
      throw new NotFoundException(
          Messages.getInstance()
              .getString("AbstractJcrBackedUserRoleDao.ERROR_0002_ROLE_NOT_FOUND"));
    }
    HashMap<String, User> currentlyAssignedUsers = new HashMap<String, User>();
    Iterator<Authorizable> currentMembers = jackrabbitGroup.getMembers();
    while (currentMembers.hasNext()) {
      Authorizable member = currentMembers.next();
      if (member instanceof User) {
        currentlyAssignedUsers.put(member.getID(), (User) member);
      }
    }

    HashMap<String, User> finalCollectionOfAssignedUsers = new HashMap<String, User>();
    if (memberUserNames != null) {
      ITenant tenant = theTenant == null ? JcrTenantUtils.getTenant(roleName, false) : theTenant;
      for (String user : memberUserNames) {
        User jackrabbitUser = getJackrabbitUser(tenant, user, session);
        if (jackrabbitUser != null) {
          finalCollectionOfAssignedUsers.put(
              tenantedRoleNameUtils.getPrincipleId(tenant, user), jackrabbitUser);
        }
      }
    }

    ArrayList<String> usersToRemove = new ArrayList<String>(currentlyAssignedUsers.keySet());
    usersToRemove.removeAll(finalCollectionOfAssignedUsers.keySet());

    ArrayList<String> usersToAdd = new ArrayList<String>(finalCollectionOfAssignedUsers.keySet());
    usersToAdd.removeAll(currentlyAssignedUsers.keySet());

    for (String userId : usersToRemove) {
      jackrabbitGroup.removeMember(currentlyAssignedUsers.get(userId));
    }

    for (String userId : usersToAdd) {
      jackrabbitGroup.addMember(finalCollectionOfAssignedUsers.get(userId));

      // Purge the UserDetails cache
      purgeUserFromCache(userId);
    }
  }